4. Select a city that I have lived in

5. My current mortgage payment amount

I wasn't sure of #2 and #5, and I was given 10 whole minutes (600 seconds) to answer correctly. I opened a Google search box and in less than three minutes (173 seconds), I was able to find the right answer to all five questions.

Our personal data is out there; we just need to know how to find it. And if it was so easy for me, keep in mind it is much easier for a cybercriminal to find this data. Cybercriminals are thriving with the amount of data that is available.

No Masked Bandits

Fraudsters are getting smart and online fraud is becoming easier. Let us start by looking at a few creative ways this fraud is being perpetrated:

Ransomware: Locking a computer or an organization's network down and asking for bitcoins (ransom that cannot be traced) has been around for a few years. The new challenge here is they are targeting smaller financial institutions and consumers who are much more vulnerable.

Denial of service attacks: An organization's IP addresses can get hit by a string of proxy (they can appear local) IP addresses. The sudden spike in traffic can slow down a financial institution's web assets and even bring them down.

Digitally advertised jobs: The advertisement seeks a financially responsible individual with good credit to cash checks at their financial institutions, purchase gift cards, ship them to a P.O. Box and collect a commission on the entire transaction. The first check presented is good and the second check bounces. The criminal enterprise has stolen between a few hundred to a few thousand dollars. Who should the financial institution press charges against – the gullible individual or the IP address that advertised the job? How do the authorities even track down the defrauding IP address?

"Indirect" fraud: Stolen credit cards are used to purchase merchandise that is shipped to a legitimate organization. The stolen merchandise is resold online at a significant discount. The legitimate organization then proceeds to ship the merchandise to the new legitimate buyer. The authorities are eventually able to solve the crime as they trace the sale back to the organization. What do they find? The legitimate organization could be elderly residents at an assisted living center, the parent-teacher organization at a school district or even a student-run branch. These unsuspecting groups fell into the trap of receiving, packing and shipping stolen merchandise.

EMV fraud: The criminal creates a card with a mag stripe with stolen consumer information. The card also has a chip. The criminal uses their nails to damage the chip. The EMV chip is inserted to complete a transaction and it does not work. The merchant tries it again – it still does not work. Finally, the merchant allows the criminal to slide the card, the transaction is complete and the merchandise is stolen.

Social engineering: This refers to "the clever manipulation of the natural human tendency to trust." Cybercriminals use multiple avenues to collect information about consumers. They do this from stolen mail, social media, dating sites, etc. to build up a profile about a particular consumer. The cybercriminal groups know the questions financial institutions use to authenticate consumers and have started collecting this data to create complete profiles of potential targets.

An inside job: In December of 2016, a number of financial institution ATMs were successfully targeted by fraudsters. Fraudulently duplicated cards with EMV chips were inserted into ATMs with EMV chip card acceptors and a significant amount of money was stolen. But wait, wasn't the EMV chip supposed to add a level of security? Unfortunately, the EMV software service was not enabled on these ATMs. How did these fraudsters know which ATMs to target? Were they able to hack into the ATM processor's database or did they have help from the inside?

Countering and Circumventing Cybercrime

Community financial institutions simply do not have the bandwidth to deal with cybercrime. They investigate the fraud to a certain extent, turn it over to the authorities, and eventually end up writing off the loss. Larger financial institutions have task forces to address cybercrime but are sometimes disorganized in their approach to circumvent this crime.

Here are some thoughts on efforts you could be looking at to help counter these challenges:

Focus on education: Educate employees on the emerging types of crimes and also do an outreach to the members you serve so they can be careful with how they use and share information. The examples I have shared are very interesting and the consumers you serve should be made aware of the creativity being employed by fraudsters.

Review your rules: Most financial institutions rely on a rule-based approach to circumvent fraud. Take another look at these rules and think about including a dynamic, heuristic, intelligence-based initiative. What if you could group merchants, IP addresses, times of day, individual consumer patterns and suspect transactions?

Consider biometric authentication: Many emerging countries have instituted biometric authentication to identify consumers on their mobile devices, assign a location to the transaction, and then use artificial intelligence to generate a dynamic challenge question (if necessary). What would it take to implement this at your financial institution?

Collaborate and prosecute: Share ideal practices and fraud cases with peer financial institutions. By knowing about problems, you will be able to address them effectively. Also, do not hold back on tracking and prosecuting fraud. Turning up the heat on fraudsters will also help in driving effective legislation. A keen initiative being undertaken by many credit union leagues is collaborative learning and understanding of fraud.

Have common sense and a sense of urgency: Teach your people channel that "if it is too good to be true it probably isn't." Track and follow up on transactions in as near real-time as possible. A lot of fraud goes unreported because a smaller or duplicate transaction is easier to forget.

Next Steps

The average loss for financial institutions is estimated at roughly $45,000 per $100 million in assets. This fraud loss is expected to go up. It is significant! What are you doing to prepare your organization to circumvent it?

Sundeep Kapur is founder of Digital Credence. He can be reached at [email protected].